ID

VAR-202001-1486


CVE

CVE-2019-10940


TITLE

SIEMENS SINEMA Server Incorrect Session Authentication Vulnerability

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224

DESCRIPTION

A vulnerability has been identified in SINEMA Server (All versions < V14.0 SP2 Update 1). Incorrect session validation could allow an attacker with a valid session, with low privileges, to perform firmware updates and other administrative operations on connected devices. The security vulnerability could be exploited by an attacker with network access to the affected system. An attacker must have access to a low privileged account in order to exploit the vulnerability. An attacker could use the vulnerability to compromise confidentiality, integrity, and availability of the affected system and underlying components. At the time of advisory publication no public exploitation of this security vulnerability was known. SINEMA Server Contains a privilege management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. SINEMA Server is the network management software designed by Siemens for Industrial Ethernet. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided

Trust: 2.34

sources: NVD: CVE-2019-10940 // JVNDB: JVNDB-2019-014225 // CNVD: CNVD-2020-02224 // IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224

AFFECTED PRODUCTS

vendor:siemensmodel:sinema serverscope:eqversion:14.0

Trust: 1.0

vendor:siemensmodel:sinema serverscope:ltversion:14.0

Trust: 1.0

vendor:siemensmodel:sinema server sp2 updatescope:ltversion:v14.01

Trust: 0.8

vendor:siemensmodel:sinema serverscope:ltversion:14.0 sp2 update 1

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // NVD: CVE-2019-10940

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10940
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-10940
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-02224
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202001-536
value: CRITICAL

Trust: 0.6

IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2019-10940
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-02224
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2019-10940
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.1
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2019-10940
baseSeverity: CRITICAL
baseScore: 9.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // CNNVD: CNNVD-202001-536 // NVD: CVE-2019-10940

PROBLEMTYPE DATA

problemtype:CWE-269

Trust: 1.8

problemtype:CWE-266

Trust: 1.0

sources: JVNDB: JVNDB-2019-014225 // NVD: CVE-2019-10940

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-536

TYPE

other

Trust: 0.8

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNNVD: CNNVD-202001-536

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014225

PATCH

title:SSA-880233url:https://cert-portal.siemens.com/productcert/pdf/ssa-880233.pdf

Trust: 0.8

title:Patch for SIEMENS SINEMA Server Incorrect Session Authentication Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/197091

Trust: 0.6

title:Siemens SINEMA Server Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108523

Trust: 0.6

sources: CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // CNNVD: CNNVD-202001-536

EXTERNAL IDS

db:NVDid:CVE-2019-10940

Trust: 3.2

db:ICS CERTid:ICSA-20-014-02

Trust: 2.4

db:SIEMENSid:SSA-880233

Trust: 2.2

db:CNVDid:CNVD-2020-02224

Trust: 0.8

db:CNNVDid:CNNVD-202001-536

Trust: 0.8

db:JVNDBid:JVNDB-2019-014225

Trust: 0.8

db:AUSCERTid:ESB-2020.0157

Trust: 0.6

db:IVDid:FE5704E0-4E6D-4125-A613-57BA8AD43D7A

Trust: 0.2

sources: IVD: fe5704e0-4e6d-4125-a613-57ba8ad43d7a // CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // CNNVD: CNNVD-202001-536 // NVD: CVE-2019-10940

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsa-20-014-02

Trust: 2.4

url:https://cert-portal.siemens.com/productcert/pdf/ssa-880233.pdf

Trust: 2.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-10940

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10940

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.0157/

Trust: 0.6

sources: CNVD: CNVD-2020-02224 // JVNDB: JVNDB-2019-014225 // CNNVD: CNNVD-202001-536 // NVD: CVE-2019-10940

SOURCES

db:IVDid:fe5704e0-4e6d-4125-a613-57ba8ad43d7a
db:CNVDid:CNVD-2020-02224
db:JVNDBid:JVNDB-2019-014225
db:CNNVDid:CNNVD-202001-536
db:NVDid:CVE-2019-10940

LAST UPDATE DATE

2024-08-14T14:25:59.121000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-02224date:2020-01-15T00:00:00
db:JVNDBid:JVNDB-2019-014225date:2020-02-06T00:00:00
db:CNNVDid:CNNVD-202001-536date:2021-09-18T00:00:00
db:NVDid:CVE-2019-10940date:2021-09-20T12:15:09.710

SOURCES RELEASE DATE

db:IVDid:fe5704e0-4e6d-4125-a613-57ba8ad43d7adate:2020-01-14T00:00:00
db:CNVDid:CNVD-2020-02224date:2020-01-15T00:00:00
db:JVNDBid:JVNDB-2019-014225date:2020-02-06T00:00:00
db:CNNVDid:CNNVD-202001-536date:2020-01-14T00:00:00
db:NVDid:CVE-2019-10940date:2020-01-16T16:15:15.887